Pages

Apr 24, 2006

mom: execute a command or batch file...

i was fiddling around with using this to issue a stop/start sequence on a service under a given condition. the stop/start stuff was pretty easy, but the response execution was a little baffling.

i found that mysterious "use windows command interpreter (not recommended)" dialog is required (i didn't put the parenthesis around not recommended. that was microsoft's doing). anyway, that's the first part. i'll get to that in a minute.

so how do you execute commands in a sequence? the answer is, i don't know. i don't know if it's possible. i don't know if it happens if you order it right. if you notice, the dialog doesn't supply an "up/down" button to move the commands around to sequence them. you'd have to create them in order. even then, does it execute this way? dunno.

the easy way around this is to use a double ampersand. so in order to stop and start the dhcp service, for example, you'd issue this command:

net stop dhcpserver && net start dhcpserver.

this will issue a stop control, wait for the command to finish successfully, then execute a start control. you can do this in a command shell and see how it runs. (more detail on conditional executions here, if you’re interested.) back to the first part, in order to execute things like this, you need that (not recommended) setting. otherwise, you'll see something like this in the event log:

Microsoft Operations Manager was unable to create a process to run a batch response.

believe me, i tried all kinds of ways to get this to work, including specifying a variable %windir% in the command line itself to call cmd.exe /c, specifying initial directory, putting the item directly on the command line... none of it worked. the interesting question is why the use windows command interpreter is (not recommended). according to this statement...

Using the Windows command interpreter is not recommended as it exposes customers to command line injection vulnerabilities whereby maliciously constructed instrumentation data could cause the execution of arbitrary code. By separating the application name from the parameters passed to it, secure invocation mitigates the command line injection vulnerability.

there is no secure invocation (calling a program or procedure) when you use this method. what am i trying to say? use a batch or scripted response where possible. it's easy to do this for starting/stopping services. i suppose you could consider this an interim approach and definitely not something to use on secured machines or dmz servers.